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Abstract —Physical Unclonable Functions evaluate manufac¬ 
turing variations to generate secure cryptographic keys for 
embedded systems without secure key storage. It is explained 
how methods from coding theory are applied in order to ensure 
reliable key reproduction. We show how better results can be 
obtained using code classes and decoding principles not used for 
this scenario before. These methods are exemplified by specific 
code constructions which improve existing codes with respect to 
error probability, decoding complexity and codeword length. 

Index Terms —Physical Unclonable Functions, Generalized 
Concatenated Codes, Reed-Muller Codes, Reed-Solomon Codes 

I. Introduction 

Cryptographic applications require random, unique and un¬ 
predictable keys. Since most cryptosystems need to access the 
key several times, it usually has to be stored permanently, 
which is a potential vulnerability regarding security. Imple¬ 
menting secure key generation and storage is therefore an 
important and challenging task. 

A Physical Unclonable Function (PUF) is a, typically 
digital, circuit that possesses an intrinsic randomness due to 
process variations during manufacturing and can therefore be 
used to generate a key. This key can be reproduced on demand. 
However, the PUF output when reproducing a key varies, 
which can be interpreted as errors. Thus, error correction must 
be used in order to compensate this effect. Previous work 
on this topic used standard constructions, e.g. an ordinary 
concatenated scheme of a BCH and Repetition code in m. 
In this paper, we extend our results from 0 and propose code 
constructions based on generalized concatenated, Reed-Muller 
and Reed-Solomon codes for the application with PUFs, which 
have advantages with respect to decoding complexity, error 
correction capability and code length. The paper first describes 
PUFs and explains how coding theory is applied to realize key 
generation and reproduction using PUFs. Section Hill describes 
methods and codes suitable for this scenario. Finally, specific 
code constructions, improving those commonly used for PUFs, 
exemplify these methods in Section [IV] We summarize the 
results in the last section. 

II. Physical Unclonable Functions 

In 0. a PUF is described as a physical entity which uses 
an input (challenge) in order to produce an output (response), 
where a challenge can result in different responses when 
applied to a certain PUF instance several times. The dis¬ 
tance of two such responses is called intra-distancc^. Reasons 
for these varying responses are random noise, measurement 

'With distance we mean the Hamming distance dn- 


uncertainties, aging and changing environmental conditions 
like temperature or supply voltage. A small response intra¬ 
distance is preferred, since there is a need for reproducibility of 
responses. The distance of the responses of two different PUF 
instances using the same challenge is called inter-distance, 
and results from variations during the manufacturing process. 
This measure gives us the distinguishability of different PUF 
instances, which is preferred to be large. Unclonable means the 
hardness of manufacturing two PUFs with the same challenge- 
response-behavior. There are many possibilities to realize 
PUFs, e.g. delay-based (e.g. Ring Oscillator PUFs) or memory- 
based (e.g. SRAM PUFs). An overview of popular types can 
be found in 0. 

PUFs can be used in order to realize secure key generation 
and storage for cryptographic applications. Due to static ran¬ 
domness over the PUFs lifetime, it is possible to regenerate a 
key repeatedly on demand instead of storing it permanently. As 
described above, PUF responses are not exactly reproducible 
and therefore a response cannot be used as key directly. Hence, 
methods of coding theory must be used. 

One way to realize key reproduction is the Code-Offset 
Construction 0 (cf. Figure [TJ. First, for a given challenge 
a response r is generated by the PUF (I). The Helper Data 
Generation (II) subtracts a random codeword c of a given 
code C(n,k,d) from r and stores the result e = r — c in the 
Helper Data Storage (III). Afterwards, the response r can be 
deleted. Hence, if an attacker is able to read this storage, he is 
left with an uncertainty as large as the number of codewords. 
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Figure 1. Key Generation and Reproduction in PUFs. 

For regenerating the original response, the same challenge 
must be used to obtain a response r' which is likely to differ 
slightly from r. For most PUFs, this can be interpreted as an 
additive error r' = r + e' = c + e + e', resulting from a binary 















symmetric channel (BSC) with crossover probability p, where 
p is given by the PUF. If wtj-i (e') = dn (r, r') is within the 
error correction capabilities of the code, the Key Reproduction 
(IV) procedure is able to reproduce the first-time response r 
by decoding r' — e = c + e + e' — e = c + e' with a decoder 
of the code C(n,k,d) (decoding result c). 

Other possibilities for implementing key reproduction are 
the Syndrome Construction @], Index-Based Syndrome Coding 
a, Complementary Index-Based Syndrome Coding 0 and 
Differential Sequence Coding G). One main challenge is to 
find good codes that can be used for key reproduction. 

If an attacker is able to read e from the helper data storage, 
his uncertainty about the response r is equal to the uncertainty 
of c, namely 2 k codewords. Hence, the uncertainty of the 
extracted key cannot be larger than the dimension of the 
used code. Also, this uncertainty is even smaller due to the 
fact that the PUF responses themselves are not necessarily 
independent and uniformly distributed. Since we want to obtain 
a uniformly distributed cryptographic key, f must be hashed 
by a cryptographic hash function (V) before it can be used. 
The combination of key reproduction and a hash function is 
usually referred to as Fuzzy Extractor 0. 

III. Code Constructions 

Code design for key reproduction in PUFs is analog to 
standard problems in coding theory for a given channel, e.g. a 
BSC with crossover probability p. A typical goal is to design a 
code with a block error probability P err smaller than a certain 
threshold. The dimension of the code must be at least the 
length of the key that should be generated. Also, the designed 
codes must be binary. The length of the codewords can be 
chosen arbitrarily, but for generating one key, at least as many 
bits as the codeword length have to be extracted from the PUF, 
which determines the size of the PUF. Since the decoder is 
usually part of an embedded security device, the decoding 
method must be easy to implement in hardware. Here, we 
describe suitable construction and decoding methods. 

A. Generalized Concatenated Codes 

The authors of 0 found that concatenated codes are advis¬ 
able for implementing key reproduction. Instead of ordinary 
concatenated codes, we propose using Generalized Concate¬ 
nated (GC) codes as introduced in fTOl and CD. A GC code 
with given n and d contains more codewords and hence has a 
higher code rate than an ordinary concatenated code with the 
same parameters. 

The main idea of GC codes is to partition an inner code B 1 ' 1 ' 1 
of length rii into multiple levels of subcodes. Let £>? denote 
the j-th subcode at partition level i. The goal is to create parti¬ 
tions such that the minimum distances of the subcodes increase 
strictly monotonically from level to level in the partition tree. 
Each codeword of B^ can be uniquely determined using a 
numeration of the partition. This numeration is protected by 
outer codes. Code A !,:> of length n 0 denotes the outer code 
which protects the numeration of the partition from level i to 
level i + 1. For a detailed description of GC codes, we refer 
to fIT) . 

B. Reed-Muller Codes 

A Reed-Muller (RM) code KM(r,m) of order r with 
r < m is a binary linear code with parameters n = 2 m , 


k = X^=o (?) anc * d = 2 m r . It can be defined recursively 
using the Plotkin Construction IH: 


KM (r, to) 


(a|a + b) 


a £ 7ZM(r, to — 1) 
b £ KM(r — 1,to — 1) 


with KM(0,m) := C(2 m ,l,2 m ) (Repetition code) and 
KM(m - 1, to) := C(2 m , 2 m - 1,2) (Parity Check code) for 
all to. KM(l,m .) codes are called Simplex codes. 

RM codes work well for PUF key reproduction due to 
an easily implementable decoding, which can also be done 
recursively using Algorithm|T] which can correct up to r errors 
and 5 erasures if 2r + <5 < d. Erasures are treated as third 
symbol ® besides 0 and 1, and the operation + is extended 
such that <g> + :c = :E-|-<g>:=<S> for all x £ {0, 1, 0}. Within 
the description of Algorithm Q] + is applied component-wise. 
Decoding of the repetition and parity check codes (base cases 
of the recursion) works as usual by ignoring all code positions 
with erasures. Alternatively, RM codes can be defined as GC 
codes and decoded using the algorithm described in fl2l. 


Algorithm 1 Recursive KM (r, to) Decoder lfl3l 

Require: y = (y a |y6) = (a + e a |a + b + e b ) G (0, l,®} 2 ™ 

1: Decode y a + y& = b + e a + in lZM(r — 1, m — 1) => b 
2: Dec. yt + b = a + (b + b) + e a + in KM (r, m — 1) => fii 
3: Dec. y a = a + e a in KM(r, m — 1) => &2 
4: Find i G {1, 2} such that dn(y, (ai|a; + b)) minimal 
5: return (a, ; |a, + b) 


Using RM codes in the PUF scenario is reasonable because 
Algorithm Q] can be implemented efficiently. Since it can han¬ 
dle both errors and erasures, it also works in combination with 
Generalized Minimum Distance decoding (cf. Section IHI-Db . 
Furthermore, RM codes are proper for partitioning because 
KM(ri,m) C KM(rj , to) for all ri < Tj and partitioning of 
linear block codes into cosets of a linear subcode can be done 
easily IfTTl . This property makes them suitable in a GC code. 
However, RM codes are not maximum distance separable. 
Also, the dimension k cannot be chosen arbitrarily. RM codes 
have been used before for key reproduction in PUFs 0, lfT4l . 

C. Reed-Solomon Codes 

Reed-Solomon (RS) codes are one of the most commonly 
used codes in applications of coding theory due to the existence 
of efficient decoding algorithms. We describe the basics of 
RS codes according to HD- Let F 9 be a finite field and a a 
generator of F*. 

Definition 1 (Discrete Fourier Transform (DFT)). For a 
polynomial c(x) G Fq[x] with degc(cc) < n, the DFT 
C(x ) = T {c(x)} •—o c(x) is defined by 

Cj = n~ 1 c(a~i) Vj G {0,..., n — 1} 

and the inverse DFT c(x) := T 1 {C(x)} o— •C(x) is 

Ci = C(a x ) Mi G {0,... , n — 1} 

Definition 2 (Reed-Solomon codes). A Reed-Solomon code 
over a field F g is defined as 

KS(q\n,k) = |c(cc)o—•C'(:r) : degC(a;) < fcj 

RS codes are maximum distance separable (MDS), that 
means d = n—k+l. There are several algorithms for decoding 








RS codes both for decoding up to half the minimum distance 
and beyond. An overview of the most important decoding 
methods for RS codes can be found in 1TT31I . 

In this paper, we use the method of Power Decoding m 
which is easily implementable using Shift-Register Synthesis 
and can correct beyond half the minimum distance for small 
code rates. Since we use RS codes with small rates in our 
construction, this method suits perfectly. The idea of Power 
Decoding is to power the received word r(x) = c(x) + e(x ) 
with some positive integer £: 


M {x) = ^(ci + ei)V = J2 (E H H 


i=0 
n— 1 


i=0 \j =0 


= E(^ + ^ x ' = c [e] {x) + e w (x) 


such that for some *, e, = 0 yields e, = 0, but not necessarily 
the other way round. Hence, wtH(e^(a;)) < wtH(e(at)) and 
the indices of the nonzero coefficients of e^(x) are a subset 
of those of e(:r). From the properties of the DFT, we know 
that c^l(a;)o—•( C(x)) e . Since degC'(a;) < k — 1 implies 
deg(C(a:))^ < £(fc —1), we know that c^(a;) is a codeword of 
TZSiq; n, fc^ := £(k — 1) + 1) for all £ with £{k — 1) +1 < n. 
We denote the maximum £ such that this inequality is fulfilled 
by £max- This approach is usually referred to as Virtual 
Interleaving. Since we know that the errors in all received 
words A^(x) are at the same positions, collaborative decoding 
as described in E0 can be used to improve the decoding 
capability. It is shown in M Section V] that, except for a 
negligible probability of decoding failure, Power Decoding 
using powers up to £ < £ ma x can correct up to 


2£n - £{£ + 1 )k + £{£ - 1) 

2 (£ + 1 ) 


( 1 ) 


errors. It can also be shown that £ m ax is upper bounded by 


yj(k + 3) 2 + 8(fc — 1 ){n - 1) — (fc + 3) 

2(fc — 1) K) 


Combining Q and Q, we obtain a maximum error correction 
radius as shown in Figure [2] Note that for low rate codes the 
algorithm can correct far beyond half the minimum distance. 



Figure 2. Maximum Decoding Radius for Power Decoding RS Codes. 

Most RS decoding algorithms can be modified such that they 
can correct erasures and errors HD. This modification has the 
same effect as decoding a punctured RS code. Assuming that 
when transmitting a codeword from lZS(q;n,k), 5 erasures 
and r errors occurred, we can simply transform the decoding 


problem into correcting r errors in 'RS(q: n — 6. fc). So 
decoding is successful if 5 +2t <d = n — k + l. However, 
since the rate of the code used in the transformed problem is 
larger than the original. Power Decoding might not be helpful 
when a lot of erasures occur. 

The main benefit of RS codes is their flexibility. The param¬ 
eter k (respectively d ) can be chosen arbitrarily. Additionally, 
Power Decoding can be applied. Finally, RS codes have better 
decoding properties than RM codes. However, if the same 
decoding algorithm should be used for all outer codes, the 
codes must be defined over the same finite field F g m. For 
the dimensions of the inner codes of two subsequent partition 
levels j and j — 1, it must be kj-\ — kj = m, where m = 2 m 
is the size of the field. Since n 0 < 2 m , m must be chosen 
sufficiently large. 

D. Generalized Minimum Distance Decoding 

Generalized Minimum Distance (GMD) decoding (cf. SH) 
is a method to increase the number of correctable errors beyond 
half the minimum distance by incrementally declaring the least 
reliable positions of a received word to be erasures. Hence, 
soft-information and error-erasure decoders are needed. 

E. Maximum Likelihood Decoding 

Maximum Likelihood (ML) decoding finds the most likely 
codeword with respect to the received word. Thus, decoding 
only fails if two or more codewords are equally likely. For 
most codes, no sufficiently fast ML decoder exists, but it is 
applicable to codes with small dimension. Since the inner 
codes of GC codes often fulfill this requirement, we use ML 
decoders in order to decrease decoding failure probabilities of 
the inner codes. 

IV. Code Constructions using GC Codes 

In this section, we show how codes for key reproduction 
in PUFs can be constructed using RM and RS codes in 
combination with GC codes. First, we describe how codes 
for PUFs can be constructed based on GC codes in general. 
As a starting point, the desired codeword length n and a 
dimension k which is at least the key size must be chosen. 
If the information theoretic uncertainty of the source is small, 
a larger k together with a hash function can be used to create an 
output with good cryptographic properties. Next, two numbers 
n,i and n 0 such that n,n Q = n must be found, where rii denotes 
the length of the inner codes and n 0 denotes the length of the 
outer codes. rii must be chosen large enough such that an inner 
code with this length exists which can be partitioned easily. 
The easiest way to define a partitioning is to take a linear code 
and a linear subcode of it. Then, all distinct cosets of this 
subcode form a partitioning of the code. If the large code has 
dimension fc ,; and the subcode has dimension fc , +1 < fc ,, then 
the number of partitions is g fc *-L +1 (here, we only consider 
binary inner codes, so q = 2). Afterwards, good outer codes 
with length n 0 have to be chosen to protect the partition indices 
for each partition level. The dimensions of the codes must be 
chosen such that their sum is equal to the desired dimension 
fc of the entire code. Usually, the dimensions are chosen such 
that they increase with the partition level. 

We already described in Section IIII-BI why RM codes are 
suitable as inner codes. Due to their easily implementable 
decoding algorithms, they can also be used as outer codes. 
An example construction using only RM codes is given in 















Section IIV-AI which has better properties than the codes 
commonly used for error correction in PUFs. However their 
dimension cannot be chosen arbitrarily, which restricts their 
use as outer codes. Therefore, in Section IIV-CI we also show 
how RS codes can be used instead. 

A. Reed-Muller Example Construction 

In |T), a design for cryptographic key generators based on 
PUFs was introduced, using a concatenation of a (318,174,35) 
BCH code and a (7,1, 7) Repetition code in order to generate 
a 128 bit key with error probability P err = 10~ 9 . The paper 
considers error models with BSC crossover probabilities p 
ranging from 0.12 to 0.14, leading to different PUF entropies. 
The higher this entropy is, the fewer bits are needed to hash 
to the same key size. For a minimum code dimension, we 
consider the maximum entropy case with p = 0.14. For a fair 
comparison to m, the block error probability P err should be 
roughly 10 -9 for a 128 bit key. Thus, we have to choose a 
code with dimension > 128 and aim for a block length less 
than the one used in m, namely 2226. 

We give a more detailed description and analysis of the 
example code construction which we introduced in (21 • The 
example improves existing schemes in code length, block error 
probability and easiness of the implementation. We choose a 
generalized concatenation of an inner (16,5,8) Simplex code 
B W and RM codes of length 128 as outer codes Hence, 
we obtain a code of length 128 • 16 = 2048, i.e. it can be 
represented as a matrix with 128 rows, each containing a 
codeword of the Simplex code. 


SW(16,5,8) Level 1 



Figure 3. Partition of the inner code £?T) (16, 5, 8). 

The inner code B HI is partitioned into 16 disjoint subcodes 
B\ with parameters (16,1,16), e.g. Bq 0 j 00 can be the repeti¬ 
tion code of length 16 and all other elements of the partition 
are its distinct cosets. The enumeration i € {0000,..., 1111} 
is then protected by four TZA4(l, 7) codes, one for each bit. 
Since the subcodes B\ contain exactly two elements each, 
we can again partition them into subcodes containing only 
one element, and B^\. The enumeration {0,1} is then 
protected by a THAI (4, 7) code. The partition tree is illustrated 
in Figure [3 Thus, we can encode 4 • 8 + 99 = 131 > 128 bits. 
Encoding is illustrated in Figure [4] and explained in Table 3 

A detailed description of the decoding process is visualized 
in Figure [5] and explained in Table QI] The soft information 
mentioned in Steps (c) and ( g ) is obtained from the number 
of errors corrected in Steps (a) and (e) respectively. 

- Note that the resulting code has dimension 131 = 32+99, where 32 = 4-8 
bits are encoded using A ' 1 s and 99 bits are encoded using A <2 ^. 


41 41 16 
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Figure 4. Illustration of the encoding steps (Legend: cf. table [!}. 


Block/Stef 

Description 

1 

(8 x 4)-matrix containing 32 information bitfl 

(a) 

Column-wise encoding in A^ = IZA4(1,7) = 

C( 128,8,64). 

III 

Result of Step (a). (128 x 4)-matrix, whose columns are 

codwords of A^. Each row provides first partition index i 

1 2\ 

(4 bits) for encoding Step (c) (chooses B\ ). 

II 

(99 x 1)-matrix containing 99 information bitfl 

0 b) 

Encoding in A (2) = HM{ 4, 7) = C(128, 99, 8). 

IV 

Result of Step ( b ). (128 x l)-matrix which is codword of 
A^. Each row provides second partition index j (1 bit) for 
encoding Step (c) (chooses B\ ? -)• 

(c) 

Takes row-wise partition indices i (from III ) and j (from 

(3) 

IV) and writes the codeword contained by B\ ■ (note that 
this code contains only one codeword) in the corresponding 
row of V. 

V 

GC codeword (length n = 128 • 16 = 2048) obtained by 
encoding the k = 131 bits from I and II. 


Table I 

Legend to Figure[4](Encoding). 


B. Analysis of the RM-Example 

We derive an upper bound on the block error probability 
Perr of the code described in Section IHI-DI For GC codes, 
decoding is realized in several steps. We look at the events 
/Si,..., S r , where S, is the event that decoding in step i fails. 
Since the decoder is only successful if all steps work properly, 
we can give an upper bound for P err using the Union Bound: 

( r \ r 

<E p (^) o) 

i=1 / *=1 

Hence, the block error probability is upper-bounded by the 
sum of the error probabilities of each step. In the example 
from Section IHI-DI we can group the decoding process into 
two major steps, namely Si consisting of steps (a) — (d) and 
S 2 with (e) — (h) (cf. Table [TTJi. P (Si) can be calculated 
by transforming the BSC with p = 0.14 into a binary error 
and erasure channel by ML decoding of the inner Simplex 
(16,5,8) code. By simulation, we obtain the following pa¬ 
rameters of this transformed channel: 

P (error) = 0.020698, 

P (erasure) = 0.155532. 






































The error-erasure decoder of the outer 1ZM. (1,7) = 

C( 128, 8, 64) code can decode correctly, if 2t + S < 64, where 
r is the number of errors and S is the number of erasures. 
Using this condition, we obtain 

P(Si) = P(2 t + S> 64) 

128 

= J2 P {$ = i) P (2r > 64 - i I S = i) 

2=0 

« 9.51 • 10“ 12 (4) 

The probability P (S 2 ) can be calculated similarly. It turns out 
that P (£ 2 ) ~ 1.48 • 1CT 9 . Using these results, we obtain the 
following upper bound on P err : 

P err < 9.51 • 1(T 12 + 1.48 ■ 1CT 9 « 1.49 • 10" 9 

However, this probability can be further decreased by using 
GMD decoding. This effect is not easy to analyze analytically, 
but has a large impact on the error probability. Simulations 
have shown that the actual block error probability is given by: 

P err « 5.37 • 10" 10 (5) 

Compared to the code construction used in Q], we obtain a 
smaller block error probability using GC codes. We have also 
decreased the codeword length from 2226 to 2048. Another 
advantage of our construction is that decoding is easier to 
implement, since we only use codes with decoders working 
over F 2 . Table HIH summarizes the improvements. 


16 16 4 4 
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Figure 5. Illustration of the decoding steps (Legend: cf. table hd. 

C. Reed-Solomon Construction 

The result of Section IIV-AI provides a code construction 
which improves commonly used coding schemes for key 
reproduction in PUFs. However, the use of RM codes as outer 
codes in the GC scheme is not as flexible as sometimes desired. 
Thus, we show how GC codes can be constructed using RS 
codes as outer codes and improve the code construction from 
Section HV-CI in the code length. 

The possible length n 0 of the outer RS codes is upper 
bounded by their field size, which again is restricted by the 
number of partitionings. This means that the length of the inner 
codes rii must be sufficiently large, such that at each partition 


Block/Stef 

Description 

i 

(128 x 16)-matrix containing the received word. Rows are 
codewords of B = 7?JV4(1, 4) (Simplex code) plus error. 

(a) 

Row-wise ML decoding in B^\ Result: c E B^ or (g) 16 
(erasure if closest codeword not unique) 

II 

Result of Step (a). Rows are codewords of B or (g) 16 

(b) 

Remapping of every row (codewords of B^) to index (4 
bits) of the partition which contains the row. If erasure, result: 

(g) 4 . 

III 

Result of Step (6). Rows are 6 {0, l} 4 U {® 4 }. 

(c) 

Column-wise error-erasure decoding (optional: GMD us¬ 
ing soft information obtained from step (a)) in A^ = 
IZM{ 1,7) = C(128, 8,64). If decoding fails: Declare 
failure of algorithm. 

IV 

Result of Step (c). Columns are E 72.A4(1,7). Rows give 

(2) 

indices i (4 bits) which specify in which partition B\ ' the 
rows must be decoded in the second part of the algorithm. 

0 d ) 

Extraction of the first 32 = 4-8 information bits (each 
column of IV is a codeword of a C(128, 8, 64) code which 
corresponds to exactly one information word of length 8). 

(e) 

(2) 

Row-wise ML decoding in B\ , where i denotes the parti¬ 
tion index for each row given by the corresponding row of 
IV. 

V 

Result of Step (e). Rows are codewords of B^ or (g) 16 (if 
closest codeword not unique). 

(/) 

(2) 

Remapping of every row (codewords of B - ) to index j (1 
(3) (2) 

bit) of the partition B\ • of B\ which contains the row. If 
erasure: (g). 

VI 

Result of Step (/). 

C 9) 

Error-erasure decoding (optional: GMD using soft informa¬ 
tion obtained from step (e)) of the column in A^ = 
UM{ 4,7) = C(128, 99, 8). If decoding fails: Declare 
failure of algorithm. 

VII 

Result of Step ( g ). Column contains codeword of A^. 

C h) 

Extraction of remaining 99 information bits which corre¬ 
spond to the A^ = C(128, 99, 8) codeword in Block VII. 


Table II 

Legend to Figure[5](Decoding). 


level i, partitions of 23W in more subcodes than the length n 0 
of the outer codes are possible. 

We first illustrate how much the code rate can be reduced 
when using RS codes in a concatenated scheme by giving 
an example of an ordinarily concatenated code based on RS 
codes. The example uses a 7\LA/((1, 5) = C(32,6,16) code as 
inner code which transforms the BSC with p = 0.14 into a 
binary error and erasure channel with P (error) = 0.003170 
and P (erasure) = 0.017605 using ML decoding. As outer 
code, we use a 1ZS(2 6 -, n, k ) code with n < 2 6 = 64 and k = 
22 because the overall dimension of the code must be 6k > 
128 bits. If we choose n = 64, we obtain a code with length 
n = 64 • 32 = 2048 and we can calculate that P err ~ 6.79 • 
10~ 3 ' using the same equation as ©. Since this probability is 
by far smaller than necessary, we can use the flexibility of RS 
codes and reduce n arbitrarily. This is easy to realize with the 
same decoder as for the 1ZS(2 6 -, 64, k) code by declaring some 
codeword positions to be erasures. If we use a 1ZS(2 6 ; 36, 22) 






















































code, the code length can be reduced to 1152 and we obtain 
a block error probability of P err ~ 1.19 ■ 10“ 10 . Note that we 
have already reduced the code length by half compared to the 
construction in m. 

In the following, we give an example that reduces the code 
length even more by using GC codes. We partition an extended 
BCH ma code £«(32,11,12) into thirty-two 32,6,16) 
codes (i £ {0, l} 5 ), which we again partition in £> l 'y ) (32.1,32) 
codes (j £ {0, l} 5 ). As outer codes we use RS codes to 
protect the partitions, e.g. an .A*- 1 ) = TZS(2 5 - 32, 2,31) code 
to protect the partitioning from level 1 to level 2 and an 
_ 4 ( 2 ) = JlS(2 5 - : 32,19,12) code between levels 2 and 3. 
The partition from level 3 to level 4 is protected by an 
_4.( 3 ) = 7\LM(32, 26,4) code. The partition tree for this 
example is visualized in Figure [ 6 ] Encoding and decoding is 
done similarly to the RM example in Section II V’-AI 


B (1) (32,ll,12) 
00000/ ■■■ \lllll 


^ooooo(32,6,16) 


£*uin (32,6,16) 


000 M/ '' ■ 

^ 00000 , 00000 ( 32 , 1 , 32 ) ■■■ , 

0/ \l 

«( 4 ) «( 4 ) 

°00000,000000,1 D ooooo,000000,0 


11111 


o( 3 ) 

-’ 00000,11111 


(32,1,32) 


Level 1 

- / 1) (2 5 ;32,2,31) 

Level 2 

- / 2 >(2 B ;32,19,12) 

Level 3 

- ^4t 3 l (2 1 ; 32, 24,4) 

Level 4 


Figure 6. Partition of the inner extended BCH code 32,11,12). 

We analyze the decoding capabilities of the code step by 
step. In Step 1, ML decoding in B^{Z2, 11,12) transforms 
the channel in a binary error and erasure channefl with 
P (error) = 0.037808 and P (erasure) = 0.174488. Decoding 
up to half the minimum distance in the outer code would leave 
us with P (Si) ss 1.03 • 10 -8 , which is too high. But since the 
7£S(2 5 ; 32, 2, 31) code has a low rate, we can apply Power 
Decoding (cf. Section ITlI-Cl) and obtain an error probability of 
P(Si) « 1.48-10" 11 . 

Step 2 transforms the BSC into a binary error and era¬ 
sure channel with P (error) = 0.0032167 and P (erasure) = 
0.0175397. Hence, decoding in 1ZS(2 5 -, 32,19,12) yields an 
error probability of P (S 2 ) ~ 3.11 • 1(T 10 . 

The last step has P (S 3 ) ss2.13-10~ n . Hence, the overall 
block error probability is upper bounded by 

P err < P (Si) + P (S 2 ) + P (S 3 ) « 3.47 ■ 10 ~ 10 

0 

Thus, the example satisfies the constraints and reduces the code 
length to n = 32 • 32 = 1024. 

V. Evaluation and Conclusion 

We explained how coding theory is used for reproducing 
cryptographic keys using PUFs. Furthermore, we proposed 
code constructions and decoding methods which improve ex¬ 
isting coding schemes for PUFs and illustrated these by giving 
examples. Table m summarizes the properties of the example 
constructions. It can be seen that our approach can achieve 
significantly reduced codelengths, block error probabilities or 
decoding complexity. In future work, more methods from 
coding theory can be examined for suitability in this setting. 

3 The parameters of the transformed channel have been calculated by 
simulation of ML decoding of the inner code. 
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Code (Section) 

p err 

Length 

Largest FielcQ 

BCH Rep. 03 

10 -9 

2226 

F 2 s (BCH) 

GC RM fTvTT 

5.37 ■ lO" 10 

2048 

F2 

RS fivTl 

6.79 ■ Hr 37 

2048 

F 2 6 

RS fivTt 

1.19 ■ 10 _1 ° 

1152 

F 2 6 

GC RS fTvTl 

3.47 ■ 10“ 10 

1024 

F 2 5 


Table III 

Comparison between the code constructions. 
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